Integrate postnumber resolver across MAS flows

docs/reference/configuration.md

@@ -358,6 +358,25 @@ account:
   # When enabled, users must provide a valid registration token during password
   # registration. This has no effect if password registration is disabled.
   registration_token_required: false
+
+  # Optional external resolver for validating postnumbers (usernames) during
+  # registration. When configured, every self-service and upstream-OAuth
+  # registration will call this service. The Admin API also calls this,
+  # but allows explicitly claiming reserved postnumbers via the
+  # `claim_reserved_postnumber` flag.
+  #
+  # Omit this section entirely to disable postnumber validation.
+  #postnumber_validation:
+  #  # URL of the postnumber-resolver service (required)
+  #  endpoint: "http://localhost:3001/"
+  #
+  #  # Per-request timeout in seconds (default: 2)
+  #  timeout: 2
+  #
+  #  # What to do when the resolver is unreachable:
+  #  #   - "closed" (default): reject the registration
+  #  #   - "open": allow the registration to proceed
+  #  on_unavailable: closed
 ```
 
 ## `captcha`